The life of an Ethical Hacker

When we think of hacking, we often think of the negative side of it. But ethical hackers do just the opposite: they deliberately break into organizations' systems to detect vulnerabilities so that they can be fixed before malicious hackers exploit them.

In this blog post, ethical hacker Remco tells you all about the life of an ethical hacker, from his daily activities and discovered vulnerabilities to how you can become an ethical hacker.

What does an ethical hacker do?

“As an ethical hacker at Warpnet, I perform a new pen test on different clients' systems every week. This can be anything: internal networks, web applications, mobile apps or cloud configurations. Each test starts with analyzing how the system or application is put together. Then we look at whether the system or application contains known vulnerabilities (think outdated versions of WordPress, for example), but we also look for unknown vulnerabilities. The latter are our added value. Our working method is as follows:

1. Preliminary research: We check that systems are up-to-date and look for known vulnerabilities that are publicly available.
2. Searching for unknown vulnerabilities: This is where most of our time goes. Especially with web applications, we use tools like Burp Suite, which allows us to intercept all the traffic between the user's browser and the server. This is how we gain insight into how the application works.
3. Testing of functionalities: We try to perform actions for which the system or application is not intended and try to cross security barriers.
4. Report: We report using standard frameworks such as OWASP and MITRE, documenting each vulnerability with the type of vulnerability, a recommendation, a reference and a risk assessment.”

High-impact vulnerabilities

“During a pen test I conducted for a client, I discovered a serious vulnerability in an application built with PHP. Because the file filter had not been properly implemented, it turned out to be possible to upload PHP files. This allowed me to take full control of the system, also known as remote code execution. This is one of the most impactful vulnerabilities you can find.

Outside of work hours, I found a vulnerability in Microsoft Windows. This was a leak where you could remotely stop a key process, preventing users from logging in. Consider, for example, a corporate network where all staff would no longer have access to their Windows account. There, this would have had a huge impact. I neatly reported this finding to Microsoft.”

‘What I like most about my job is that every week I dive into a new system that I often haven't seen before. That's super educational, because you take that knowledge back to subsequent tests.’

Ethics over curiosity

“There have been times when I have had to balance my responsibility with my curiosity. For example, when I discovered that I could access a system with quite sensitive data, related to government information. At that point I had to make a trade-off: is the fact that I have access enough to report, or should I go further and see what other actions I can take?

I chose to neatly report that I could gain access, without performing any further actions. In such situations, it is important to remain ethical and take responsibility for what you discover.”

How do you become an ethical hacker?

“I myself first studied MBO Network & ICT management and then HBO ICT with a major in network & security. A study is a good basis, but to really learn how to hack you can practice on different platforms nowadays, such as Hack The Box. These platforms offer challenges of different levels. In addition, getting certificates is important. I obtained the OSCP certificate during my studies. This is one of the better-known certificates that show you have a good base of knowledge and can apply it under time pressure.” 

The traits of an ethical hacker

“A good ethical hacker is not someone who just colors neatly within the lines. It is precisely the people who dare to deviate from the standard path that make the difference. They are curious, creative and think in terms of possibilities that others might overlook.

Ethical hackers are often engaged in their craft outside of work hours as well. They participate in Capture The Flag (CTF) competitions, build their own tools, dive into previously found vulnerabilities and contribute to security investigations. They do this because they enjoy it, want to learn and discover.”

‘The challenge? That lies in him how fast the world of cybersecurity is changing. Think of developments like AI, new tools and increasingly sophisticated technology.’

A look to the future

“In ten years, I hope I will have made a valuable contribution to discovering new vulnerabilities, for example within commonly used systems like Windows. I want to develop tools that will make the job easier for other ethical hackers, and that we can also use in future pen tests at Warpnet.

Obtaining relevant certifications is also part of that. And I want to delve further into cloud security so I can make an impact in that area as well.”